Zero Trust
zero_trust
Access
zero_trust.access
zero_trust.access.ai_controls
zero_trust.access.ai_controls.mcp
zero_trust.access.ai_controls.mcp.portals
Methods
List MCP Portals
Create a new MCP Portal
Read details of an MCP Portal
Update a MCP Portal
Delete a MCP Portal
zero_trust.access.ai_controls.mcp.servers
Methods
List MCP Servers
Create a new MCP Server
Read the details of a MCP Server
Update a MCP Server
Delete a MCP Server
Sync MCP Server Capabilities
zero_trust.access.applications
Methods
Lists all Access applications in an account or zone.
Fetches information about an Access application.
Adds a new application to Access.
Updates an Access application.
Deletes an application from Access.
Revokes all tokens issued for an application.
Domain types
The identity providers selected for application.
Identifier.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The application type.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The format of the name identifier sent to the SaaS application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
A domain that Access will secure.
zero_trust.access.applications.cas
Methods
Lists short-lived certificate CAs and their public keys.
Fetches a short-lived certificate CA and its public key.
Generates a new short-lived certificate CA and public key.
Deletes a short-lived certificate CA.
Domain types
zero_trust.access.applications.policies
Methods
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
Domain types
Enforces a device posture rule has run successfully
Matches an Access group.
Matches any valid Access Service Token
Enforce different MFA options
Matches an Azure group. Requires an Azure identity provider.
Matches any valid client certificate.
Matches a specific country
Match an entire email domain.
Matches an email address from a list.
Matches a specific email.
Matches everyone.
Create Allow or Block policies which evaluate the user based on custom criteria.
Matches a Github organization. Requires a Github identity provider.
Matches an Access group.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
Matches an IP address from a list.
Matches an IP address block.
Matches an Okta group. Requires an Okta identity provider.
Matches a SAML group. Requires a SAML identity provider.
Matches a specific Access Service Token
zero_trust.access.applications.policy_tests
Methods
Fetches the current status of a given Access policy test.
Starts an Access policy test.
zero_trust.access.applications.policy_tests.users
Methods
Fetches a single page of user results from an Access policy test.
zero_trust.access.applications.settings
Methods
Updates Access application settings.
Updates Access application settings.
zero_trust.access.applications.user_policy_checks
Methods
Tests if a specific user has permission to access an application.
Domain types
zero_trust.access.bookmarks
Methods
Lists Bookmark applications.
Fetches a single Bookmark application.
Create a new Bookmark application.
Updates a configured Bookmark application.
Deletes a Bookmark application.
Domain types
zero_trust.access.certificates
Methods
Lists all mTLS root certificates.
Fetches a single mTLS certificate.
Adds a new mTLS root certificate to Access.
Updates a configured mTLS certificate.
Deletes an mTLS certificate.
Domain types
A fully-qualified domain name (FQDN).
zero_trust.access.certificates.settings
Methods
List all mTLS hostname settings for this account or zone.
Updates an mTLS certificate's hostname settings.
Domain types
zero_trust.access.custom_pages
Methods
List custom pages
Fetches a custom page and also returns its HTML.
Create a custom page
Update a custom page
Delete a custom page
Domain types
zero_trust.access.gateway_ca
Methods
Lists SSH Certificate Authorities (CA).
Adds a new SSH Certificate Authority (CA).
Deletes an SSH Certificate Authority.
zero_trust.access.groups
Methods
Lists all Access groups.
Fetches a single Access group.
Creates a new Access group.
Updates a configured Access group.
Deletes an Access group.
Domain types
zero_trust.access.infrastructure
zero_trust.access.infrastructure.targets
Methods
Lists and sorts an account’s targets. Filters are optional and are ANDed together.
Get target
Create new target
Update target
Delete target
Adds one or more targets.
Removes one or more targets.
Removes one or more targets.
zero_trust.access.keys
Methods
Gets the Access key rotation settings for an account.
Updates the Access key rotation settings for an account.
Perfoms a key rotation for an account.
zero_trust.access.logs
zero_trust.access.logs.access_requests
Methods
Gets a list of Access authentication audit logs for an account.
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
Example: X-Auth-Email: user@example.com
The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
Example: X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Access: Audit Logs Read
Identifier.
The chronological sorting order for the logs.
Filter by user email. Defaults to substring matching. To force exact matching, set email_exact=true.
Example (default): email=@example.com returns all events with that domain.
Example (exact): email=user@example.com&email_exact=true returns only that user.
When true, email is matched exactly instead of substring matching.
The maximum number of log entries to retrieve.
Page number of results.
Number of results per page.
The earliest event timestamp to query.
The latest event timestamp to query.
Filter by user UUID.
Whether the API call was successful.
zero_trust.access.logs.scim
Domain types
zero_trust.access.logs.scim.updates
Methods
Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
zero_trust.access.policies
Methods
Lists Access reusable policies.
Fetches a single Access reusable policy.
Creates a new Access reusable policy.
Updates a Access reusable policy.
Deletes an Access reusable policy.
Domain types
A group of email addresses that can approve a temporary authentication request.
zero_trust.access.service_tokens
Methods
Lists all service tokens.
Fetches a single service token.
Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
Updates a configured service token.
Deletes a service token.
Refreshes the expiration of a service token.
Generates a new Client Secret for a service token and revokes the old one.
Domain types
zero_trust.access.users
Methods
Gets a list of users for an account.
Domain types
zero_trust.access.users.active_sessions
Methods
Get active sessions for a single user.
Get an active session for a single user.
zero_trust.access.users.failed_logins
Methods
Get all failed login attempts for a single user.
zero_trust.access.users.last_seen_identity
Methods
Get last seen identity for a single user.
Domain types
Connectivity
zero_trust.connectivity
zero_trust.connectivity.directory
zero_trust.connectivity.directory.services
Methods
List connectivity services
Create connectivity service
Get connectivity service
Update connectivity service
Delete connectivity service
Connectivity Settings
zero_trust.connectivity_settings
Methods
Gets the Zero Trust Connectivity Settings for the given account.
Updates the Zero Trust Connectivity Settings for the given account.
Devices
zero_trust.devices
Methods
List WARP devices. Not supported when multi-user mode is enabled for the account.
Deprecated: please use one of the following endpoints instead:
- GET /accounts/{account_id}/devices/physical-devices
- GET /accounts/{account_id}/devices/registrations
Fetches a single WARP device. Not supported when multi-user mode is enabled for the account.
Deprecated: please use one of the following endpoints instead:
- GET /accounts/{account_id}/devices/physical-devices/{device_id}
- GET /accounts/{account_id}/devices/registrations/{registration_id}
Domain types
zero_trust.devices.devices
Methods
Lists WARP devices.
Fetches a single WARP device.
Deletes a WARP device.
Revokes all WARP registrations associated with the specified device.
zero_trust.devices.dex_tests
Methods
Fetch all DEX tests
Fetch a single DEX test.
Create a DEX test.
Update a DEX test.
Delete a Device DEX test. Returns the remaining device dex tests for the account.
Domain types
The configuration object which contains the details for the WARP client to conduct the test.
zero_trust.devices.fleet_status
Methods
Get the live status of a latest device given device_id from the device_state table
zero_trust.devices.networks
Methods
Fetches a list of managed networks for an account.
Fetches details for a single managed network.
Creates a new device managed network.
Updates a configured device managed network.
Deletes a device managed network and fetches a list of the remaining device managed networks for an account.
Domain types
zero_trust.devices.override_codes
Methods
Fetches a one-time use admin override code for a device. This relies on the Admin Override setting being enabled in your device configuration. Not supported when multi-user mode is enabled for the account. Deprecated: please use GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes instead.
Fetches one-time use admin override codes for a registration. This relies on the Admin Override setting being enabled in your device configuration.
zero_trust.devices.policies
Domain types
zero_trust.devices.policies.custom
Methods
Fetches a list of the device settings profiles for an account.
Fetches a device settings profile by ID.
Creates a device settings profile to be applied to certain devices matching the criteria.
Updates a configured device settings profile.
Deletes a device settings profile and fetches a list of the remaining profiles for an account.
zero_trust.devices.policies.custom.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.custom.fallback_domains
Methods
Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile.
zero_trust.devices.policies.custom.includes
Methods
Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile.
Sets the list of routes included in the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.default
Methods
Fetches the default device settings profile for an account.
Updates the default device settings profile for an account.
zero_trust.devices.policies.default.certificates
Methods
Fetches device certificate provisioning.
Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session.
zero_trust.devices.policies.default.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel.
Sets the list of routes excluded from the WARP client's tunnel.
zero_trust.devices.policies.default.fallback_domains
Methods
Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
zero_trust.devices.policies.default.includes
Methods
Fetches the list of routes included in the WARP client's tunnel.
Sets the list of routes included in the WARP client's tunnel.
zero_trust.devices.posture
Methods
Fetches device posture rules for a Zero Trust account.
Fetches a single device posture rule.
Creates a new device posture rule.
Updates a device posture rule.
Deletes a device posture rule.
Domain types
The value to be checked against.
zero_trust.devices.posture.integrations
Methods
Fetches the list of device posture integrations for an account.
Fetches details for a single device posture integration.
Create a new device posture integration.
Updates a configured device posture integration.
Delete a configured device posture integration.
Domain types
zero_trust.devices.registrations
Methods
Lists WARP registrations.
Fetches a single WARP registration.
Deletes a WARP registration.
Deletes a list of WARP registrations.
Revokes a list of WARP registrations.
Unrevokes a list of WARP registrations.
zero_trust.devices.resilience
zero_trust.devices.resilience.global_warp_override
Methods
Fetch the Global WARP override state.
Sets the Global WARP override state.
zero_trust.devices.revoke
Methods
Revokes a list of devices. Not supported when multi-user mode is enabled.
Deprecated: please use POST /accounts/{account_id}/devices/registrations/revoke instead.
zero_trust.devices.settings
Methods
Describes the current device settings for a Zero Trust account.
Updates the current device settings for a Zero Trust account.
Patches the current device settings for a Zero Trust account.
Resets the current device settings for a Zero Trust account.
Domain types
zero_trust.devices.unrevoke
Methods
Unrevokes a list of devices. Not supported when multi-user mode is enabled.
Deprecated: please use POST /accounts/{account_id}/devices/registrations/unrevoke instead.
DEX
zero_trust.dex
Domain types
zero_trust.dex.colos
Methods
List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically.
zero_trust.dex.commands
Methods
Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters
Initiate commands for up to 10 devices per account
zero_trust.dex.commands.devices
Methods
List devices with WARP client support for remote captures which have been connected in the last 1 hour.
zero_trust.dex.commands.downloads
Methods
Downloads artifacts for an executed command. Bulk downloads are not supported
zero_trust.dex.commands.quota
Methods
Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset
zero_trust.dex.fleet_status
Methods
List details for live (up to 60 minutes) devices using WARP
List details for devices using WARP, up to 7 days
Domain types
zero_trust.dex.fleet_status.devices
Methods
List details for devices using WARP
zero_trust.dex.http_tests
Methods
Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.http_tests.percentiles
Methods
Get percentiles for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.tests
Methods
List DEX tests with overview metrics
Domain types
zero_trust.dex.tests.unique_devices
Methods
Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days.
Domain types
zero_trust.dex.traceroute_test_results
zero_trust.dex.traceroute_test_results.network_path
Methods
Get a breakdown of hops and performance metrics for a specific traceroute test run
zero_trust.dex.traceroute_tests
Methods
Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days.
Get percentiles for a traceroute test for a given time period between 1 hour and 7 days.
Get a breakdown of metrics by hop for individual traceroute test runs
Domain types
zero_trust.dex.warp_change_events
Methods
List WARP configuration and enablement toggle change events by device.
DLP
zero_trust.dlp
zero_trust.dlp.datasets
Methods
Fetch all datasets
Fetch a specific dataset
Create a new dataset
Update details about a dataset
This deletes all versions of the dataset.
Domain types
zero_trust.dlp.datasets.upload
Methods
Prepare to upload a new version of a dataset
This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched.
Domain types
zero_trust.dlp.datasets.versions
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request.
zero_trust.dlp.datasets.versions.entries
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard.
zero_trust.dlp.email
zero_trust.dlp.email.account_mapping
Methods
Get mapping
Create mapping
zero_trust.dlp.email.rules
Methods
Lists all email scanner rules for an account.
Get an email scanner rule
Create email scanner rule
Update email scanner rule
Delete email scanner rule
Update email scanner rule priorities
zero_trust.dlp.entries
Methods
Lists all DLP entries in an account.
Fetches a DLP entry by ID.
Creates a DLP custom entry.
Updates a DLP entry.
Deletes a DLP custom entry.
zero_trust.dlp.entries.custom
Methods
Creates a DLP custom entry.
Updates a DLP custom entry.
Deletes a DLP custom entry.
Fetches a DLP entry by ID.
Lists all DLP entries in an account.
zero_trust.dlp.entries.integration
Methods
Integration entries can't be created, this will update an existing integration entry This is needed for our generated terraform API
Updates a DLP entry.
This is a no-op as integration entires can't be deleted but is needed for our generated terraform API
Fetches a DLP entry by ID.
Lists all DLP entries in an account.
zero_trust.dlp.entries.predefined
Methods
Predefined entries can't be created, this will update an existing predefined entry This is needed for our generated terraform API
Updates a DLP entry.
This is a no-op as predefined entires can't be deleted but is needed for our generated terraform API
Fetches a DLP entry by ID.
Lists all DLP entries in an account.
zero_trust.dlp.limits
Methods
Fetch limits associated with DLP for account
zero_trust.dlp.patterns
Methods
Validates whether this pattern is a valid regular expression. Rejects it if
the regular expression is too complex or can match an unbounded-length
string. The regex will be rejected if it uses * or +. Bound the maximum
number of characters that can be matched using a range, e.g. {1,100}.
zero_trust.dlp.payload_logs
Methods
Get payload log settings
Set payload log settings
zero_trust.dlp.profiles
Methods
Lists all DLP profiles in an account.
Fetches a DLP profile by ID.
Domain types
Scan the context of predefined entries to only return matches surrounded by keywords.
Content types to exclude from context analysis and return all matches.
zero_trust.dlp.profiles.custom
Methods
Fetches a custom DLP profile by id.
Creates a DLP custom profile.
Updates a DLP custom profile.
Deletes a DLP custom profile.
Domain types
zero_trust.dlp.profiles.predefined
Methods
Fetches a predefined DLP profile by id.
Creates a DLP predefined profile. Only supports enabling/disabling entries.
Updates a DLP predefined profile. Only supports enabling/disabling entries.
This is a no-op as predefined profiles can't be deleted but is needed for our generated terraform API
Domain types
Gateway
zero_trust.gateway
Methods
Retrieve information about the current Zero Trust account.
Create a Zero Trust account for an existing Cloudflare account.
zero_trust.gateway.app_types
Methods
List all application and application type mappings.
Domain types
zero_trust.gateway.audit_ssh_settings
Methods
Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.
Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.
Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy.
Domain types
zero_trust.gateway.categories
Methods
List all categories.
Domain types
zero_trust.gateway.certificates
Methods
List all Zero Trust certificates for an account.
Get a single Zero Trust certificate.
Create a new Zero Trust certificate.
Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it.
Bind a single Zero Trust certificate to the edge.
Unbind a single Zero Trust certificate from the edge.
zero_trust.gateway.configurations
Methods
Retrieve the current Zero Trust account configuration.
Update the current Zero Trust account configuration.
Update (PATCH) a single subcollection of settings such as antivirus, tls_decrypt, activity_log, block_page, browser_isolation, fips, body_scanning, or certificate without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration.
Domain types
Specify activity log settings.
Specify anti-virus settings.
Specify block page layout settings.
Specify the DLP inspection mode.
Specify Clientless Browser Isolation settings.
Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.
Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.
Specify FIPS settings.
Specify account settings.
Configure the message the user's device shows during an antivirus scan.
Specify whether to detect protocols from the initial bytes of client traffic.
Specify whether to inspect encrypted HTTP traffic.
zero_trust.gateway.configurations.custom_certificate
Methods
Retrieve the current Zero Trust certificate configuration.
zero_trust.gateway.lists
Methods
Fetch all Zero Trust lists for an account.
Fetch a single Zero Trust list.
Creates a new Zero Trust list.
Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list.
Appends or removes an item from a configured Zero Trust list.
Deletes a Zero Trust list.
Domain types
zero_trust.gateway.lists.items
Methods
Fetch all items in a single Zero Trust list.
zero_trust.gateway.locations
Methods
List Zero Trust Gateway locations for an account.
Get a single Zero Trust Gateway location.
Create a new Zero Trust Gateway location.
Update a configured Zero Trust Gateway location.
Delete a configured Zero Trust Gateway location.
Domain types
Configure the destination endpoints for this location.
zero_trust.gateway.logging
Methods
Retrieve the current logging settings for the Zero Trust account.
Update logging settings for the current Zero Trust account.
Domain types
zero_trust.gateway.proxy_endpoints
Methods
List all Zero Trust Gateway proxy endpoints for an account.
Get a single Zero Trust Gateway proxy endpoint.
Create a new Zero Trust Gateway proxy endpoint.
Update a configured Zero Trust Gateway proxy endpoint.
Delete a configured Zero Trust Gateway proxy endpoint.
Domain types
Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25.
zero_trust.gateway.rules
Methods
List Zero Trust Gateway rules for an account.
Get a single Zero Trust Gateway rule.
Create a new Zero Trust Gateway rule.
Update a configured Zero Trust Gateway rule.
Delete a Zero Trust Gateway rule.
List Zero Trust Gateway rules for the parent account of an account in the MSP configuration.
Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both expiration.expires_at and expiration.duration.
Domain types
Specify the protocol or layer to use.
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.
Identity Providers
zero_trust.identity_providers
Methods
Lists all configured identity providers.
Fetches a configured identity provider.
Adds a new identity provider to Access.
Updates a configured identity provider.
Deletes an identity provider from Access.
Domain types
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
zero_trust.identity_providers.scim
zero_trust.identity_providers.scim.groups
Methods
Lists SCIM Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
zero_trust.identity_providers.scim.users
Methods
Lists SCIM User resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
Networks
zero_trust.networks
zero_trust.networks.hostname_routes
Methods
Lists and filters hostname routes in an account.
Get a hostname route.
Create a hostname route.
Updates a hostname route.
Delete a hostname route.
Domain types
zero_trust.networks.routes
Methods
Lists and filters private network routes in an account.
Get a private network route in an account.
Routes a private network through a Cloudflare Tunnel.
Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request.
Deletes a private network route from an account.
Domain types
zero_trust.networks.routes.ips
Methods
Fetches routes that contain the given IP address.
zero_trust.networks.routes.networks
Methods
Deprecated
This endpoint and its related APIs are deprecated in favor of the equivalent Tunnel Route (without CIDR) APIs.
Routes a private network through a Cloudflare Tunnel. The CIDR in ip_network_encoded must be written in URL-encoded format.
Deprecated
This endpoint and its related APIs are deprecated in favor of the equivalent Tunnel Route (without CIDR) APIs.
Updates an existing private network route in an account. The CIDR in ip_network_encoded must be written in URL-encoded format.
Deprecated
This endpoint and its related APIs are deprecated in favor of the equivalent Tunnel Route (without CIDR) APIs.
Deletes a private network route from an account. The CIDR in ip_network_encoded must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type.
zero_trust.networks.subnets
Methods
Lists and filters subnets in an account.
zero_trust.networks.subnets.cloudflare_source
Methods
Updates the Cloudflare Source subnet of the given address family
zero_trust.networks.virtual_networks
Methods
Lists and filters virtual networks in an account.
Get a virtual network.
Adds a new virtual network to an account.
Updates an existing virtual network.
Deletes an existing virtual network.
Domain types
Organizations
zero_trust.organizations
Methods
Returns the configuration for your Zero Trust organization.
Sets up a Zero Trust organization for your account or zone.
Updates the configuration for your Zero Trust organization.
Revokes a user's access across all applications.
Domain types
zero_trust.organizations.doh
Methods
Returns the DoH settings for your Zero Trust organization.
Updates the DoH settings for your Zero Trust organization.
Risk Scoring
zero_trust.risk_scoring
Methods
Get risk event/score information for a specific user
Clear the risk score for a particular user
zero_trust.risk_scoring.behaviours
Methods
Get all behaviors and associated configuration
Update configuration for risk behaviors
zero_trust.risk_scoring.integrations
Methods
List all risk score integrations for the account.
Get risk score integration by id.
Create new risk score integration.
Overwrite the reference_id, tenant_url, and active values with the ones provided.
Delete a risk score integration.
zero_trust.risk_scoring.integrations.references
Methods
Get risk score integration by reference id.
zero_trust.risk_scoring.summary
Methods
Get risk score info for all users in the account
Seats
zero_trust.seats
Methods
Removes a user from a Zero Trust seat when both access_seat and gateway_seat are set to false.
Domain types
Tunnels
zero_trust.tunnels
Methods
Lists and filters all types of Tunnels in an account.
Domain types
zero_trust.tunnels.cloudflared
Methods
Lists and filters Cloudflare Tunnels in an account.
Fetches a single Cloudflare Tunnel.
Creates a new Cloudflare Tunnel in an account.
Updates an existing Cloudflare Tunnel.
Deletes a Cloudflare Tunnel from an account.
zero_trust.tunnels.cloudflared.configurations
Methods
Gets the configuration for a remotely-managed tunnel
Adds or updates the configuration for a remotely-managed tunnel.
zero_trust.tunnels.cloudflared.connections
Methods
Fetches connection details for a Cloudflare Tunnel.
Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens.
Domain types
A client (typically cloudflared) that maintains connections to a Cloudflare data center.
zero_trust.tunnels.cloudflared.connectors
Methods
Fetches connector and connection details for a Cloudflare Tunnel.
zero_trust.tunnels.cloudflared.management
Methods
Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel.
zero_trust.tunnels.cloudflared.token
Methods
Gets the token used to associate cloudflared with a specific tunnel.
zero_trust.tunnels.warp_connector
Methods
Lists and filters Warp Connector Tunnels in an account.
Fetches a single Warp Connector Tunnel.
Creates a new Warp Connector Tunnel in an account.
Updates an existing Warp Connector Tunnel.
Deletes a Warp Connector Tunnel from an account.
zero_trust.tunnels.warp_connector.token
Methods
Gets the token used to associate warp device with a specific Warp Connector tunnel.